Message-ID: <2024051920-CVE-2024-35944-a860@gregkh>
Date: Sun, 19 May 2024 12:11:38 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-35944: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.

memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

Some code commentry, based on my understanding:

544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size

memcpy(&dg_info->msg, dg, dg_size);
	Destination = dg_info->msg ---> this is a 24 byte
					structure(struct vmci_datagram)
	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
	Size = dg_size = 24 + payload_size

{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.

 35 struct delayed_datagram_info {
 36         struct datagram_entry *entry;
 37         struct work_struct work;
 38         bool in_dg_host_queue;
 39         /* msg and msg_payload must be together. */
 40         struct vmci_datagram msg;
 41         u8 msg_payload[];
 42 };

So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.

One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.

Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."

The Linux kernel CVE team has assigned CVE-2024-35944 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.19.312 with commit e87bb99d2df6
	Fixed in 5.4.274 with commit f15eca95138b
	Fixed in 5.10.215 with commit ad78c5047dc4
	Fixed in 5.15.155 with commit 130b0cd06487
	Fixed in 6.1.86 with commit feacd430b42b
	Fixed in 6.6.27 with commit dae70a575656
	Fixed in 6.8.6 with commit 491a1eb07c2b
	Fixed in 6.9 with commit 19b070fefd0d

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35944
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/misc/vmw_vmci/vmci_datagram.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
	https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
	https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
	https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74
	https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
	https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73
	https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f
	https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec

Powered by blists - more mailing lists